General
-
Target
06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe
-
Size
745KB
-
Sample
240508-s1h9zsdh36
-
MD5
48ba8c1d6e9081bfb88c1988ce9e1b94
-
SHA1
4258ca2ef7d11d6dc1f56127118685e838f84085
-
SHA256
06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24
-
SHA512
dcbdc1e789feb41c8dffbb06e79e16bb9469681c7785a580988987080635f1a68b68c6c8262bc3b7786fc3c4bb0ea5fe1fd4056d62b09f2b45e94281d836eba8
-
SSDEEP
12288:MOriJsEuLO0bCk1mtIXrQ3qCT6YTZpCMMsyqUzrCkjb7dGA+2VCMWMXEAmD:6PuLOu7MyXu96Cv3yqUzrrn7dGlCCrq
Static task
static1
Malware Config
Extracted
remcos
1.7 Pro
act leads
62.102.148.189:11274
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
act
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_xxbfeafkoj
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24.exe
-
Size
745KB
-
MD5
48ba8c1d6e9081bfb88c1988ce9e1b94
-
SHA1
4258ca2ef7d11d6dc1f56127118685e838f84085
-
SHA256
06ca6e79b1e98c0d2223781294b4663da9d8e31d0d4e0a0528058fe74865db24
-
SHA512
dcbdc1e789feb41c8dffbb06e79e16bb9469681c7785a580988987080635f1a68b68c6c8262bc3b7786fc3c4bb0ea5fe1fd4056d62b09f2b45e94281d836eba8
-
SSDEEP
12288:MOriJsEuLO0bCk1mtIXrQ3qCT6YTZpCMMsyqUzrCkjb7dGA+2VCMWMXEAmD:6PuLOu7MyXu96Cv3yqUzrrn7dGlCCrq
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-